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DETAILED ACTION 

1. Claims 1-11, 13, 15-17-, 19-21, and 23-26 are pending. 

2. Response filed 02/21/2007 has been received and considered. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which 
forms the basis for all obviousness rejections set forth in this 
Office action: 

{a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the 
art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

4. Claims 1-2, 10, 11, 13, 15-17, 19-21, 25, and 26 are 
rejected under 35 U.S.C. 103(a) as being unpatentable over 
I'Anson et al (EPO 0474932), further in view of Park (US 
6363458), and further in view of Shanklin et al (US 6487666). 

As per claims 1, and 19-21, I'Anson discloses identifying 
at least two valid states associated with the network protocol 
in which a first host system communicating with a second host 
system using the network protocol may be placed; defining at 
least one valid transition between a first state of the at least 
two valid states and a second state of the at least two valid 
states; determining that a connection under the network protocol 
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is in the first state; analyzing the stream based at least in 
part on the determination that the connection under the network 
protocol is in a first state to determine whether the packet is 
associated with the at least one valid transition (see p. 3 
lines 22-39 and p. 4 lines 27-49) . 

I'Anson fails to disclose defining an invalid state with a 
plurality of transitions to the invalid state and expressing the 
at least one valid transition and the invalid transition in the 
form of a regular expression and using the regular expression to 
analyze the network protocol stream. 

However, Park teaches the use of an invalid state with a 
plurality of transitions to the invalid state (see column 7 line 
15 through column 8 line 41 and Figure 2a) and Shanklin et al 
teaches the use of regular expressions (see column 6 lines 39- 
57) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use the invalid state 
with a plurality of transitions to the invalid state of Park and 
Shanklin et al's regular expressions defining all transitions to 
analyze the protocol of I'Anson. 

Motivation to do so would have been to invalidate requests 
and to recognize and evaluate identifiers, special symbols, or 
other tokens . 
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As per claim 2, the modified I'Anson, Park, and Shanklin et 
al system discloses compiling the regular expression into 
computer code (see Shanklin et al column 6 lines 39-57). 

As per claims 10-11, the modified I'Anson, Park, and 
Shanklin et al system discloses keeping track of which of the at 
least two states the first host system currently is in and 
changing the tracked state of the first host system from the 
first of the at least two states to the second of the at least 
two states in the event the analysis of the network protocol 
stream indicates the at least one valid transition has taken 
place (see I'Anson p. 4 lines. 27-49) . 

As per claim 13, the modified I'Anson, Park, and Shanklin 
et al system discloses the invalid transition indicates that a 
security-related event has taken or is taking place and defining 
a further state corresponding to the invalid operation (see p. 4 
lines 18-26 where the security related event is the intrusion of 
Shanklin et al as applied with Park) . 

As per claims 15-17, the modified I'Anson, Park, and 
Shanklin et al system discloses keeping track of which state, 
from the set comprising the at least two states and the further 
state, the first host system currently is in; and changing the 
state of the first host system to the further state in the event 
that the analysis of the network protocol stream indicates the 
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invalid operation has taken place and in the event that the 
analysis of the network protocol stream indicates the invalid 
operation has taken place, an indication that the invalid 
operation has taken place then discontinuing analysis of the 
network protocol stream once the state of the first host system 
has been changed to the further state (see I'Anson page 4). 

As per claims 25 and 26, the modified I'Anson, Park, and 
Shanklin et al system discloses the invalid transitions 
correspond to a plurality of disallowed security events and 
performing error handling (see Shanklin column 2 lines 16-21 and 
Park column 8 lines 12-20) . 

5. Claims 3-4 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, and Shanklin et al 
system as applied to claim 2 above, and further in view of 
Wijendran (AWK-to-C Translator) . 

As per claims 3-4, the modified I'Anson, Park, and Shanklin 
et al system fails to disclose the use of optimal C programming 
language code. 

However, Wijendran teaches this optical C code (see page 

1) . 

At the time of the invention it would have been obvious to' 
a person of ordinary skill. in the art to use Wijendran' s optical 
C code in the modified I'Anson, Park, and Shanklin et al system. 
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Motivation to do so would have been to maximize runtime 
performance (see page 1) . 

6. Claim 5 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, and Shanklin et al 
system as applied to claim 2 above, and further in view of 
Mangione-Smith (How many vector registers are useful?). 

As per claim 5, the modified I'Anson, Park, and Shanklin et 
al system fails to disclose the use of nearly optimal computer 
code . 

However, Mangione-Smith teaches nearly optical code (see 
page 1) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Mangione-Smith' s 
nearly optical code in the modified I'Anson, Park, and Shanklin 
et al system. 

Motivation to do so would have been that nearly optimal 
code requires less vector registers (see page 1). 

7. Claims 6-9 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, and Shanklin et al 
system as applied to claim 1 above, and further in view of Blam 
(US 6467041) . 
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As per claim 6, the modified I'Anson, Park, and Shanklin et 
al system fails to disclose copying the stream to a third party 
to be analyzed. 

However, Blam teaches a third party analyzer (see column 6 
lines 5-29) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Blam' s third party 
analyzer to analyze the protocol analyzer of the modified 
I'Anson, Park, and Shanklin et al system. 

Motivation to do so would have been to perform the analysis 
regardless of what resources are on the network or client (see 
column 6 lines 5-29) . 

As per claims 7-9, the modified I'Anson, Park, Shanklin et 
al system, and Blam system discloses the network protocol stream 
comprises packets of data, each packet being associated with a 
sequence number indicating its position relative to other 
packets in the protocol stream, and the third system reassembles 
the packets into the order indicated by the respective sequence 
numbers of the packets received where a copy of the network 
protocol stream is maintained in the third system until analysis 
has been completed and in the event the packets are received by 
the third system in sequence number order, a copy is maintained 
in the third system only of those packets comprising the portion. 
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of the network protocol currently under analysis (see I'Anson 
pages 4-5 and Blam column 6 lines 5-29) . 

8. Claim 23 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, and Shanklin et al 
system as applied to claim 1 above, and further in view of Brown 
et al (US 6604075) . 

As per claim 23, the modified I'Anson, Park, and Shanklin 
et al system fails to disclose performing error handling that is 
specific for one of the plurality of invalid transitions. 

However, Brown et al teaches the error handling of a 
specific invalid state (see column 11 lines 9-18). 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to include error handling 
of a specific invalid state in the modified I'Anson, Park, and 
Shanklin et al system. 

Motivation to do so would have been that the error needs to 
be handled by an application or user with specific knowledge 
associated with the processing. 

9. Claim 24 is rejected under 35 U.S.C. 103(a) as .being 
unpatentable over the modified I'Anson, Park, and Shanklin et al 
system as applied to claim 1 above, and further in view of Oran 
(US 6275574) . 



Application/Control Number: 09/964,272 Page 9 

Art Unit: 2137 

As per claim 24, the modified I'Anson, Park, and Shanklin 
et al system fails to disclose grouping the regular expressions 
according to their similarity. 

However, Oran teaches such grouping (see column 8 lines 8- 

21) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to group the regular 
expressions of the modified I'Anson, Park, and Shanklin et al 
system. 

Motivation to do so would have been to define precedence 
for the regular expressions. 

Response to Arguments 

10. Applicant's arguments filed 02/21/2007 have been fully 
considered but they are not persuasive. Applicant argues that 
Park is non-analogous art and the modified I'Anson, Park, and 
Shanklin et al system fails to disclose a plurality of 
transitions from the first state to the invalid state. 

With respect to Applicant's argument that Park is non- 
analogous art it has been held that a prior art reference must 
either be in the field of applicant's endeavor or, if not, then 
be reasonably pertinent to the particular problem with which the 
applicant was concerned, in order to be relied upon as a basis 
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for rejection of the claimed invention. See In re Oetiker, 977 
F.2d 1443, 24 USPQ2d 1443 (Fed. Cir. 1992). In this case 
Applicant's invention relates to using a regular expression to 
define transitions between states when analyzing a protocol for 
security related events. Park is related to the present 
invention in that Park discloses a network protocol (reading and 
writing from local or remote nodes to a home node) and defining 
states to analyze this protocol (valid read and write states and 
an invalid state). Both Applicant's present invention and Park 
relate to analyzing a network protocol for events, which trigger 
an invalid state; therefore Park is analogous art. 

With respect to Applicant's argument that the modified 
I'Anson, Park, and Shanklin et al system fails to disclose a 
plurality of transitions from the first state to the invalid 
state Park teaches a transition from a first state (the read 
only state) to an invalid state and also from the read only 
state to the write transit state to the read state to the 
invalid state. Therefore because there is a second transition 
(although through different states) from the read only state to 
the invalid state the modified I'Anson, Park, and Shanklin et al 
system discloses a plurality of transitions from the first state 
to the invalid state. 
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Conclusion 

11. THIS ACTION IS MADE FINAL. Applicant is reminded of the 
extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action 
is set to expire THREE MONTHS from the mailing date of this 
action. In the event a first reply is filed within TWO MONTHS 
of the mailing date of this final action and the advisory action 
is not mailed until after the end of the THREE-MONTH shortened 
statutory period, then the shortened statutory period will 
expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated 
from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than 
SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Michael 
Pyzocha whose telephone number is (571) 272-3875. The examiner 
can normally be reached on 7:00am - 4:30pm first Fridays of the 
bi-week off. 

If attempts to reach the examiner by telephone are 
unsuccessful, the examiner's supervisor, Emmanuel Moise can be 
reached on (571) 272-38655. The fax phone number for the 
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organization where this application or proceeding is assigned is 
703-872-9306. 

Information regarding the status of an application may be 
obtained from the Patent Application Information Retrieval 
(PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, / 
see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free) . 

MJP 

EMMANUEL L MOISE 
SUPERVISORY PATENT EXAMINER 



